1apiVersion: apiextensions.k8s.io/v1
2kind: CustomResourceDefinition
3metadata:
4 annotations:
5 api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2466
6 gateway.networking.k8s.io/bundle-version: v1.0.0
7 gateway.networking.k8s.io/channel: experimental
8 creationTimestamp: null
9 name: referencegrants.gateway.networking.k8s.io
10spec:
11 group: gateway.networking.k8s.io
12 names:
13 categories:
14 - gateway-api
15 kind: ReferenceGrant
16 listKind: ReferenceGrantList
17 plural: referencegrants
18 shortNames:
19 - refgrant
20 singular: referencegrant
21 scope: Namespaced
22 versions:
23 - additionalPrinterColumns:
24 - jsonPath: .metadata.creationTimestamp
25 name: Age
26 type: date
27 deprecated: true
28 deprecationWarning: The v1alpha2 version of ReferenceGrant has been deprecated
29 and will be removed in a future release of the API. Please upgrade to v1beta1.
30 name: v1alpha2
31 schema:
32 openAPIV3Schema:
33 description: "ReferenceGrant identifies kinds of resources in other namespaces
34 that are trusted to reference the specified kinds of resources in the same
35 namespace as the policy. \n Each ReferenceGrant can be used to represent
36 a unique trust relationship. Additional Reference Grants can be used to
37 add to the set of trusted sources of inbound references for the namespace
38 they are defined within. \n A ReferenceGrant is required for all cross-namespace
39 references in Gateway API (with the exception of cross-namespace Route-Gateway
40 attachment, which is governed by the AllowedRoutes configuration on the
41 Gateway, and cross-namespace Service ParentRefs on a \"consumer\" mesh Route,
42 which defines routing rules applicable only to workloads in the Route namespace).
43 ReferenceGrants allowing a reference from a Route to a Service are only
44 applicable to BackendRefs. \n ReferenceGrant is a form of runtime verification
45 allowing users to assert which cross-namespace object references are permitted.
46 Implementations that support ReferenceGrant MUST NOT permit cross-namespace
47 references which have no grant, and MUST respond to the removal of a grant
48 by revoking the access that the grant allowed."
49 properties:
50 apiVersion:
51 description: 'APIVersion defines the versioned schema of this representation
52 of an object. Servers should convert recognized schemas to the latest
53 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
54 type: string
55 kind:
56 description: 'Kind is a string value representing the REST resource this
57 object represents. Servers may infer this from the endpoint the client
58 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
59 type: string
60 metadata:
61 type: object
62 spec:
63 description: Spec defines the desired state of ReferenceGrant.
64 properties:
65 from:
66 description: "From describes the trusted namespaces and kinds that
67 can reference the resources described in \"To\". Each entry in this
68 list MUST be considered to be an additional place that references
69 can be valid from, or to put this another way, entries MUST be combined
70 using OR. \n Support: Core"
71 items:
72 description: ReferenceGrantFrom describes trusted namespaces and
73 kinds.
74 properties:
75 group:
76 description: "Group is the group of the referent. When empty,
77 the Kubernetes core API group is inferred. \n Support: Core"
78 maxLength: 253
79 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
80 type: string
81 kind:
82 description: "Kind is the kind of the referent. Although implementations
83 may support additional resources, the following types are
84 part of the \"Core\" support level for this field. \n When
85 used to permit a SecretObjectReference: \n * Gateway \n When
86 used to permit a BackendObjectReference: \n * GRPCRoute *
87 HTTPRoute * TCPRoute * TLSRoute * UDPRoute"
88 maxLength: 63
89 minLength: 1
90 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
91 type: string
92 namespace:
93 description: "Namespace is the namespace of the referent. \n
94 Support: Core"
95 maxLength: 63
96 minLength: 1
97 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
98 type: string
99 required:
100 - group
101 - kind
102 - namespace
103 type: object
104 maxItems: 16
105 minItems: 1
106 type: array
107 to:
108 description: "To describes the resources that may be referenced by
109 the resources described in \"From\". Each entry in this list MUST
110 be considered to be an additional place that references can be valid
111 to, or to put this another way, entries MUST be combined using OR.
112 \n Support: Core"
113 items:
114 description: ReferenceGrantTo describes what Kinds are allowed as
115 targets of the references.
116 properties:
117 group:
118 description: "Group is the group of the referent. When empty,
119 the Kubernetes core API group is inferred. \n Support: Core"
120 maxLength: 253
121 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
122 type: string
123 kind:
124 description: "Kind is the kind of the referent. Although implementations
125 may support additional resources, the following types are
126 part of the \"Core\" support level for this field: \n * Secret
127 when used to permit a SecretObjectReference * Service when
128 used to permit a BackendObjectReference"
129 maxLength: 63
130 minLength: 1
131 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
132 type: string
133 name:
134 description: Name is the name of the referent. When unspecified,
135 this policy refers to all resources of the specified Group
136 and Kind in the local namespace.
137 maxLength: 253
138 minLength: 1
139 type: string
140 required:
141 - group
142 - kind
143 type: object
144 maxItems: 16
145 minItems: 1
146 type: array
147 required:
148 - from
149 - to
150 type: object
151 type: object
152 served: true
153 storage: false
154 subresources: {}
155 - additionalPrinterColumns:
156 - jsonPath: .metadata.creationTimestamp
157 name: Age
158 type: date
159 name: v1beta1
160 schema:
161 openAPIV3Schema:
162 description: "ReferenceGrant identifies kinds of resources in other namespaces
163 that are trusted to reference the specified kinds of resources in the same
164 namespace as the policy. \n Each ReferenceGrant can be used to represent
165 a unique trust relationship. Additional Reference Grants can be used to
166 add to the set of trusted sources of inbound references for the namespace
167 they are defined within. \n All cross-namespace references in Gateway API
168 (with the exception of cross-namespace Gateway-route attachment) require
169 a ReferenceGrant. \n ReferenceGrant is a form of runtime verification allowing
170 users to assert which cross-namespace object references are permitted. Implementations
171 that support ReferenceGrant MUST NOT permit cross-namespace references which
172 have no grant, and MUST respond to the removal of a grant by revoking the
173 access that the grant allowed."
174 properties:
175 apiVersion:
176 description: 'APIVersion defines the versioned schema of this representation
177 of an object. Servers should convert recognized schemas to the latest
178 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
179 type: string
180 kind:
181 description: 'Kind is a string value representing the REST resource this
182 object represents. Servers may infer this from the endpoint the client
183 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
184 type: string
185 metadata:
186 type: object
187 spec:
188 description: Spec defines the desired state of ReferenceGrant.
189 properties:
190 from:
191 description: "From describes the trusted namespaces and kinds that
192 can reference the resources described in \"To\". Each entry in this
193 list MUST be considered to be an additional place that references
194 can be valid from, or to put this another way, entries MUST be combined
195 using OR. \n Support: Core"
196 items:
197 description: ReferenceGrantFrom describes trusted namespaces and
198 kinds.
199 properties:
200 group:
201 description: "Group is the group of the referent. When empty,
202 the Kubernetes core API group is inferred. \n Support: Core"
203 maxLength: 253
204 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
205 type: string
206 kind:
207 description: "Kind is the kind of the referent. Although implementations
208 may support additional resources, the following types are
209 part of the \"Core\" support level for this field. \n When
210 used to permit a SecretObjectReference: \n * Gateway \n When
211 used to permit a BackendObjectReference: \n * GRPCRoute *
212 HTTPRoute * TCPRoute * TLSRoute * UDPRoute"
213 maxLength: 63
214 minLength: 1
215 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
216 type: string
217 namespace:
218 description: "Namespace is the namespace of the referent. \n
219 Support: Core"
220 maxLength: 63
221 minLength: 1
222 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
223 type: string
224 required:
225 - group
226 - kind
227 - namespace
228 type: object
229 maxItems: 16
230 minItems: 1
231 type: array
232 to:
233 description: "To describes the resources that may be referenced by
234 the resources described in \"From\". Each entry in this list MUST
235 be considered to be an additional place that references can be valid
236 to, or to put this another way, entries MUST be combined using OR.
237 \n Support: Core"
238 items:
239 description: ReferenceGrantTo describes what Kinds are allowed as
240 targets of the references.
241 properties:
242 group:
243 description: "Group is the group of the referent. When empty,
244 the Kubernetes core API group is inferred. \n Support: Core"
245 maxLength: 253
246 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
247 type: string
248 kind:
249 description: "Kind is the kind of the referent. Although implementations
250 may support additional resources, the following types are
251 part of the \"Core\" support level for this field: \n * Secret
252 when used to permit a SecretObjectReference * Service when
253 used to permit a BackendObjectReference"
254 maxLength: 63
255 minLength: 1
256 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
257 type: string
258 name:
259 description: Name is the name of the referent. When unspecified,
260 this policy refers to all resources of the specified Group
261 and Kind in the local namespace.
262 maxLength: 253
263 minLength: 1
264 type: string
265 required:
266 - group
267 - kind
268 type: object
269 maxItems: 16
270 minItems: 1
271 type: array
272 required:
273 - from
274 - to
275 type: object
276 type: object
277 served: true
278 storage: true
279 subresources: {}
280status:
281 acceptedNames:
282 kind: ""
283 plural: ""
284 conditions: null
285 storedVersions: null
View as plain text